Hacker Finds Security Flaw in Firefox 3.5, Fix on the Way

Share

Hacker Finds Security Flaw in Firefox 3.5, Fix on the Way

A security vulnerability has been found in Firefox 3.5 that can be used to execute malicious code on an unsuspecting person's machine, Mozilla has disclosed. The company says it is actively working on a fix right now.

The flaw is in the browser's TraceMonkey JavaScript engine, a newly re-written portion of the underlying code used to quickly render web pages. TraceMonkey debuted in Firefox 3.5, which was released two weeks ago.

Specifically, the vulnerability takes advantage of a flaw in the "just-in-time" compiler, a component of the JavaScript engine. Mozilla was apparently aware of the flaw, as it had been noted as a bug in Bugzilla, Mozilla's publicly available bug tracking app. According to ComputerWorld, Mozilla was working on a fix for the bug when the exploit code was published by an independent hacker earlier this week.

The exploit, like almost all of the browser-based vulnerabilities we see these days, relies on the hacker tricking a user into viewing a page containing a malicious script.

Most of us consider ourselves smart enough to side-step these sorts of exploits, which are initiated by clicking on an unknown link. But the danger of such attacks has become exacerbated by the rise of Twitter, Facebook and other web services where passing around shortened URLs has become the norm. Web links from bit.ly, TinyURL and other shortening services save on character counts, leaving more room for your precious wit. But they also obfuscate the destination of the link – anything could be hiding behind that click.

We recommend running an add-on like LongURL Please, which replaces shortened URLs with the originals. It works for most services, and it's updated frequently to include newcomers.

There are a few other ways to protect yourself ahead of the coming fix from Mozilla.

You can download and run the NoScript extension, which will prevent unapproved scripts from running in the browser. You can also run Firefox in Safe Mode, which will disable the jit component.

Furthermore, you can disable only the jit component without compromising any of Firefox's other functionality by messing with your about:config settings in the browser. Mozilla has posted instructions on how to do this on its security blog.

The fix was already scheduled for Firefox 3.5.1, a build due to be released at the end of July. Mozilla is now going to push out a security fix as soon as possible.